Whistleblower: Ubiquiti Breach “Catastrophic” – Krebs on Security – Krebs on Security

On Jan. 11, Ubiquiti Inc. [NYSE:UI] — a major vendor of cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders and security cameras — disclosed that a breach involving a third-party cloud provider had exposed customer account credentials. Now a source who participated in the response to that breach alleges Ubiquiti massively downplayed a “catastrophic” incident to minimize the hit to its stock price, and that the third-party cloud provider claim was a fabrication.

ubiquiti ProxyEgg Whistleblower: Ubiquiti Breach “Catastrophic” – Krebs on Security - Krebs on Security

A security professional at Ubiquiti who helped the company respond to the two-month breach beginning in December 2020 contacted KrebsOnSecurity after raising his concerns with both Ubiquiti’s whistleblower hotline and with European data protection authorities. The source — we’ll call him Adam — spoke on condition of anonymity for fear of retribution by Ubiquiti.

“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers,” Adam wrote in a letter to the European Data Protection Supervisor. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”

Ubiquiti has not responded to repeated requests for comment.

Update, Mar. 31, 6:58 p.m. ET: In a post to its user forum, Ubiquiti said its security experts identified “no evidence that customer information was accessed, or even targeted.” Ubiquiti can say this, says Adam, because it failed to keep records of which accounts were accessing that data. We’ll hear more about this from Adam in a bit.

Original story:

According to Adam, the hackers obtained full read/write access to Ubiquiti databases at Amazon Web Services (AWS), which was the alleged “third party” involved in the breach. Ubiquiti’s breach disclosure, he wrote, was “downplayed and purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack.”

In its Jan. 11 public notice, Ubiquiti said it became aware of “unauthorized access to certain of our information technology systems hosted by a third party cloud provider,” although it declined to name the third party.

ubi notice ProxyEgg Whistleblower: Ubiquiti Breach “Catastrophic” – Krebs on Security - Krebs on Security

In reality, Adam said, the attackers had gained administrative access to Ubiquiti’s servers at Amazon’s cloud service, which secures the underlying server hardware and software but requires the cloud tenant (client) to secure access to any data stored there.

“They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” Adam said.

Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.

Such access could have allowed the intruders to remotely authenticate to countless Ubiquiti cloud-based devices around the world. According to its website, Ubiquiti has shipped more than 85 million devices that play a key role in networking infrastructure in over 200 countries and territories worldwide.

Adam says Ubiquiti’s security team picked up signals in late December 2020 that someone with administrative access had set up several Linux virtual machines that weren’t accounted for.

Then they found a backdoor that an intruder had left behind in the system.

When security engineers removed the backdoor account in the first week of January, the intruders responded by sending a message saying they wanted 50 bitcoin (~$2.8 million USD) in exchange for a promise to remain quiet about the breach. The attackers also provided proof they’d stolen Ubiquiti’s source code, and pledged to disclose the location of another backdoor if their ransom demand was met.

Ubiquiti did not engage with the hackers, Adam said, and ultimately the incident response team found the second backdoor the extortionists had left in the system. The company would spend the next few days furiously rotating credentials for all employees, before Ubiquiti started alerting customers about the need to reset their passwords.

But he maintains that instead of asking customers to change their passwords when they next log on — as the company did on Jan. 11 — Ubiquiti should have immediately invalidated all of its customer’s credentials and forced a reset on all accounts, mainly because the intruders already had credentials needed to remotely access customer IoT systems.

“Ubiquiti had negligent logging (no access logging on databases) so it was unable to prove or disprove what they accessed, but the attacker targeted the credentials to the databases, and created Linux instances with networking connectivity to said databases,” Adam wrote in his letter. “Legal overrode the repeated requests to force rotation of all customer credentials, and to revert any device access permission changes within the relevant period.”

If you have Ubiquiti devices installed and haven’t yet changed the passwords on the devices since Jan. 11 this year, now would be a good time to take care of that.

It might also be a good idea to just delete any profiles you had on these devices, make sure they’re up to date on the latest firmware, and then re-create those profiles with new [and preferably unique] credentials. And seriously consider disabling any remote access on the devices.

Ubiquiti’s stock price has grown remarkably since the company’s breach disclosure Jan. 16. After a brief dip following the news, Ubiquiti’s shares have surged from $243 on Jan. 13 to $370 as of today. By market close Tuesday, UI had slipped to $349. Update, Apr. 1: Ubiquiti’s stock opened down almost 15 percent Wednesday; as of Thursday morning it was trading at $298.

Source of this news: https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-breach-catastrophic/

Related posts:

Apple and Google Respond to Covid-19 Contact Tracing Concerns - WIRED
"It's definitely possible that some evil advertiser could use this to augment their data sets," Green says. "But, gosh, it really requires a lot of evil. And it seems to me like a small case."Keeping...
Summer of Football - PlayStation
In order for the Summer of Football app to recognise the trophies, they also need to be synchronised with the PlayStation Network. Navigate to the trophy area on your PS4. When everything is displaye...
How to Fix 'Slow Safari on Mac' Issue - BollyInside
This tutorial is about the How to Fix ‘Slow Safari on Mac’ Issue. We will try our best so that you understand this guide. I hope you like this blog How to Fix ‘Slow Safari on Mac’ Issue. If...
Envoy Proxy is Generally Available on Windows - InfoQ.com
The CNCF-graduated project Envoy Proxy was recently announced as generally available on Windows. Starting with version 1.18.3, engineers can use the Envoy proxy on Windows for production workloads. S...
Jump Announces General Availability of Fiddler Jam | News | bakersfield. com - Each Bakersfield Cali...
BEDFORD, General., Oct. 20, 2021 (GLOBE NEWSWIRE) -- Progress  (NASDAQ: PRGS), the most common provider of products to develop, release and manage high-impact jobs, today announced the g...
3xLOGIC announces major upgrade and its management software | Secureness News - SourceSecurity. com
3xLOGIC, your provider of integrated, naturally smart security solutions, has released offered for sale version of its VIGIL videos management suite, version 1415. 0.   VIGIL 's the core 64-...
JDK 18 Adds Simple Www Server - iProgrammer
Java Creation Kit (JDK) 18 has grown to be available as an official formulation release, along with Java 15. The new version of commonplace Java JDK 18 was previously announced by the Open JDK group...
Proxy vs. VPN: What's the Difference? Proxy vs VPN: Find out Which is Better - Sprout Wired
Today, people spend a lot of their time online. They use the Internet for work, fun, and communication. This means that a lot of our private data is collected each time we go online which can le...
Microsoft Exchange server being hacked through ProxyShell exploit - Illinoisnewstoday.com
An attacker has exploited a vulnerability in ProxyShell to aggressively exploit a Microsoft Exchange server and install a backdoor for later access. ProxyShell is the name of an attack that uses thre...
How (In)Effective is Geo-Blocking? - UrbanMatter
Table of Contents Geo-blocking helps in many ways. It helps brands protect their intellectual properties. It also helps third-party companies protect copyright licensing agreements. And it is hel...
CircleCI CI/CD Solution Boosts Equity, Insights and Ease of Installation exactly why Integration Dev...
CircleCI Server 3. 2 is just increasing privacy, efficiency, together with collaboration across teams by end-to-end control over their CircleCI installation. The update provides organization incre...
ESET takes part in global operation to disrupt Zloader botnets - We Live Security
ESET researchers provided technical analysis, statistical information, and known command and control server domain names and IP addresses ESET has collaborated with partners Microsoft’s Digital Cri...
Ad Fraud – The Biggest Threat to Programmatic? - Business 2 Community
Ad fraud in the programmatic realm is a serious issue that affects all key industry players, and that’s why it has been the prime focus of all sides concerned for the last couple of years.Ad fraud is...
5 Reasons Your Company Should Use Proxy Servers - CMSWire
The average person probably has only a vague understanding of the purpose of a proxy server. If you’re like most people, you probably associate proxy servers with unblocking Netflix content from ...
Under Attack: How Threat Actors are Exploiting SOCKS Proxies 4 min read - Security Intelligence
From the basic building blocks of the internet to cryptocurrency mining on a supercomputer, SOCKS sits at the core of computing. A SOCKS proxy can be used to improve network security in an enterprise...
How MinIO Brings Object Storage Service to Kubernetes – The New Stack - thenewstack.io
MinIO is a popular open source object storage service that exposes an S3-compatible endpoint. It was initially available as a tiny binary written in Golang that could turn any directory on the host ...
We found a massive spam operation — and sunk its server - TechCrunch
For ten days in March, millions were caught in the same massive spam campaign. Each email looked like it came from someone the recipient knew: the spammer took stolen email addresses and passwords, q...
Finest Surf Web Anonymously 2022 Tip - BollyInside
This tutorial deals with the How To Surf Internet Anonymously. We will try our best therefore you understand this guide. I hope you love this blog How To Surf Web Anonymously . If your alterna...

IP Rotating Proxy Onsale

SPECIAL LIMITED TIME OFFER

00
Months
00
Days
00
Hours
00
Minutes
00
Seconds
First month free with coupon code FREE30